Second part of bug 26257: [SECURITY] Bugzilla should prevent malicious webpages from...

diff --git a/template/en/default/global/confirm-action.html.tmpl b/template/en/default/global/confirm-action.html.tmpl
new file mode 100644 (file)
index 0000000..e57a83c
--- /dev/null
+++ b/template/en/default/global/confirm-action.html.tmpl
@@ -0,0 +1,63 @@
+[%# The contents of this file are subject to the Mozilla Public
+  # License Version 1.1 (the "License"); you may not use this file
+  # except in compliance with the License. You may obtain a copy of
+  # the License at http://www.mozilla.org/MPL/
+  #
+  # Software distributed under the License is distributed on an "AS
+  # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+  # implied. See the License for the specific language governing
+  # rights and limitations under the License.
+  #
+  # The Original Code is the Bugzilla Bug Tracking System.
+  #
+  # The Initial Developer of the Original Code is Frédéric Buclin.
+  # Portions created by Frédéric Buclin are Copyright (C) 2008
+  # Frédéric Buclin. All Rights Reserved.
+  #
+  # Contributor(s): Frédéric Buclin <LpSolit@gmail.com>
+  #%]
+
+[%# INTERFACE:
+  # script_name: the script generating this warning.
+  # token: a valid token for the current action.
+  # reason: reason of the failure.
+  #%]
+
+[% PROCESS global/header.html.tmpl title = "Suspicious Action"
+                                   style_urls = ['skins/standard/global.css'] %]
+
+<div class="throw_error">
+  [% IF reason == "expired_token" %]
+    Your changes have been rejected because you exceeded the time limit
+    of [% constants.MAX_TOKEN_AGE FILTER html %] days before submitting your
+    changes to [% script_name FILTER html %]. Your page may have been displayed
+    for too long, or old changes have been resubmitted by accident.
+
+  [% ELSIF reason == "missing_token" %]
+    It looks like you didn't come from the right page.
+    One reason could be that you entered the URL in the address bar of your
+    web browser directly, which should be safe. Another reason could be that
+    you clicked on a URL which redirected you here <b>without your consent</b>.
+
+  [% ELSIF reason == "invalid_token" %]
+    You submitted changes to [% script_name FILTER html %] with an invalid
+    token, which may indicate that someone tried to abuse you, for instance
+    by making you click on a URL which redirected you here <b>without your
+    consent</b>.
+  [% END %]
+  <p>
+    Are you sure you want to commit these changes?
+  </p>
+</div>
+
+<form name="check" id="check" method="post" action="[% script_name FILTER html %]">
+  [% PROCESS "global/hidden-fields.html.tmpl"
+             exclude="^(Bugzilla_login|Bugzilla_password|token)$" %]
+  <input type="hidden" name="token" value="[% token FILTER html %]">
+  <input type="submit" id="confirm" value="Yes, Confirm Changes">
+</form>
+
+<p><a href="index.cgi">No, throw away these changes</a> (you will be redirected
+to the home page).</p>
+
+[% PROCESS global/footer.html.tmpl %]